Snort rule syntax to match multiple itypes that are NOT consecutive

["ab1197590 () gmail com" <ab1197590 () gmail com>]

Hello list,

I was trying to make a snort rule in which one could match multiple
ICMP types that are _not_ consecutive. For example ICMP echo requests
or replies between two IPs (e.g: 10.10.10.101 and 10.10.10.100).

I have tried too syntaxs which did not work.

1) Tried specifying two itype fields, but this was invalid.
2) Tried putting a space in between the numbers 0 and 8 to denote Echo
Requests and Echo Replies.


So can this be done?


> From the Snort manual:

3.6.14 itype
The itype keyword is used to check for a specific ICMP type value.
Format
    itype:[<|>]<number>[<><number>];
Example
This example looks for an ICMP type greater than 30.
    itype:>30;
3.6.15 icode
The icode keyword is used to check for a specific ICMP code value.
Format
    icode: [<|>]<number>[<><number>];
Example
This example looks for an ICMP code greater than 30.
    code:>30;


Any help would be much appreciated.

Thanks.

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users